Addressing one of the largest risks in healthcare: cybersecurity.
Cyberattacks on the healthcare industry have been an unfortunate reality for decades; however, in the last few years the frequency and breadth of these attacks has reached almost epidemic levels. In 2018, the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) alone levied $28 million in fines for security breaches, and that is just the tip of the iceberg. Some experts estimate these breaches cost the industry $5 billion annually, including the cost to fix the breach, the lost revenue due to lack of access to information during a breach and the negative impact on patients’ perception of the organization affected.
The healthcare industry is a prime target for cybercriminals because of the value of healthcare data. In particular this includes the personal health information (PHI) of patients, which can be extremely valuable for identity theft and other types of fraud. However, in addition to PHI, healthcare industry clinical research and intellectual property are valuable to cybercriminals.
Ransomware and Other Types of Breaches
One of the most discussed types of cyberattacks is ransomware. This refers to a situation where a cybercriminal gets access to your network and then encrypts files or otherwise restricts access to your own data or networked equipment until your organization pays a ransom. As with many data breaches, this often occurs when a worker mistakenly clicks a link in an email or interacts with something malicious online that gives the criminal access to your system.
This practice of sending emails or messages intended to get employees to click on malicious links—which are usually disguised as something innocuous such as a document from a coworker or photos from a friend—is called phishing. In a 2018 breach that resulted from a phishing attack, health insurance company Anthem, Inc., agreed to pay $16 million to OCR, establishing a new record as the single largest HIPAA fine for a security breach.
In addition to phishing, other common ways healthcare organization data is breached include:
- Loss or inadvertent disclosure of sensitive information. For example, if an employee misplaces his or her work phone or leaves a laptop unattended.
- Stolen information. Similarly, if an employee’s phone or computer with sensitive information or login and password access to secure networks is stolen.
- Insider breach. An employee of your organization who has access to secure information maliciously provides that access to criminals.
- Third-party breach. Another organization or vendor you work with and has access to your sensitive data is breached.
- Unsecure data. Data, including PHI, that should be secured is inadvertently left discoverable by the public.
To continue reading, click here.